简单记录一下 ESXi 主机更换 HTTPS 证书的方法：

# castore 用处尚未查证，不建议修改
/etc/vmware/ssl/castore.pem
# crt 使用 nginx 格式，将证书和中间证书合并在一个文件里
/etc/vmware/ssl/rui.crt
/etc/vmware/ssl/rui.key

services.sh restart

因为不建议开启 SSH 服务，所以不推荐远程更换的方法。

如果需要 Let’s Encrypt 解决方案，建议参考这个脚本：

	#!/bin/bash
	#
	## -----------------------------=[ WARNING ]=-------------------------------- ##
	#
	# This script is now woefully out of date due to which accounts ESXi allows to
	# ssh into the box as well as sticky folders/file flags.
	# I've since ported the whole thing to python with a lot of bells and whistles
	# and if i get around to making it public, i'll put a link here.
	#
	## -------------------------------=[ Info ]=--------------------------------- ##
	#
	# Generate letsencrypt cert on local server and scp to esxi target.
	# Designed and tested on Ubuntu 16.04LTS.
	# Assumes you have upnp control over local network. Tested with Ubiquiti USG.
	#
	# Dependencies:
	# miniupnpc (sudo apt install miniupnpc)
	# certbot (sudo apt install certbot)
	#
	## -=[ Author ]=------------------------------------------------------------- ##
	#
	# shr00mie
	# 9.21.2018
	# v0.5
	#
	## -=[ Use Case ]=----------------------------------------------------------- ##
	#
	# Allows for the generation of certificates on a separate host which can then
	# be securely copied to target esxi host.
	#
	## -=[ Breakdown ]=---------------------------------------------------------- ##
	#
	# 1. Prompt for esxi target FQDN, reminder email, and esxi admin username
	# 2. Check if ssh keys exist for target.
	# - If keys exist, continue.
	# - If keys don't exist:
	# - Silently generate 4096 RSA key, no passphrase, user@target as comment.
	# - Add key to ssh-agent
	# - Create target folder/file structure for scp automation
	# - Restart SSH service on target.
	# 3. Enable port forwarding.
	# 4. Generate 4096 bit letsencrypt cert
	# 5. Backup existing cert with datetime suffix
	# 6. Copy cert to target
	# 7. Restart target services
	# 8. Remove port forwarding
	#
	## -=[ To-Do ]=-------------------------------------------------------------- ##
	#
	# change: PermitRootLogin yes -> PermitRootLogin no
	# add: ChallengeResponseAuthentication no
	# add: PasswordAuthentication no
	#
	## -=[ Functions ]=---------------------------------------------------------- ##
	# Usage: status "Status Text"
	function status() {
	GREEN='\033[00;32m'
	RESTORE='\033[0m'
	echo -e "\n...${GREEN}$1${RESTORE}...\n"
	}
	# Usage: input "Prompt Text" "Variable Name"
	function input() {
	GREEN='\033[00;32m'
	RESTORE='\033[0m'
	echo -en "\n...${GREEN}$1${RESTORE}: "
	read $2
	echo -e ""
	}
	function pressanykey(){
	GREEN='\033[00;32m'
	RESTORE='\033[0m'
	echo -en "\n...${GREEN}$1. Press any key to continue.${RESTORE}..."
	read -r -p "" -n 1
	}
	## ---------------------------=[ Script Start ]=----------------------------- ##
	# Importing Variables
	status "Importing Variables"
	# Read ESXiHost
	input "Enter the FQDN for the certificate/host in host.domain.tld format" "ESXiHost"
	# Read Email
	input "Enter the email for confirmation & renewal notifications" "Email"
	# Read ESXiUser
	input "Enter ESXi target admin username" "ESXiUser"
	# Prompt user to confirm/enable SSH on ESXi target
	pressanykey "Confirm/Enable SSH access on $ESXiHost."
	# Check for existing ssh keys for esxi host
	status "Checking for existing ssh keys for $ESXiHost"
	if [[ -e ~/.ssh/$ESXiHost'_rsa' ]]
	then
	status "Keys for $ESXiHost exist. Continuing"
	else
	status "Keys for $ESXiHost not found. Generating 4096 bit keys"
	# Generate 4096 bit key for user@target
	ssh-keygen -b 4096 -t rsa -f ~/.ssh/$ESXiHost'_rsa' -q -N "" -C "$ESXiUser@$HOSTNAME LetsEncrypt"
	status "Adding new key to ssh-agent"
	# Add key to agent
	eval `ssh-agent` && ssh-add ~/.ssh/$ESXiHost'_rsa'
	status "Configuring $ESXiHost for ssh access"
	# Store key as variable
	pubkey=`cat ~/.ssh/$ESXiHost'_rsa.pub'`
	# Create directory for authorized user, copy key to target, set permissions,
	# and restart ssh service on target.
	ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser &&
	echo $pubkey > /etc/ssh/keys-$ESXiUser/authorized_keys &&
	chmod 700 -R /etc/ssh/keys-$ESXiUser &&
	chmod 600 /etc/ssh/keys-$ESXiUser/authorized_keys &&
	chown -R $ESXiUser /etc/ssh/keys-$ESXiUser &&
	/etc/init.d/SSH restart"
	fi
	# Enable UPnP http(s) port forward for requesting device
	status "Enabling http(s) port forwarding to client for letsencrypt verification"
	upnpc -e "letsencrypt http" -r 80 tcp
	upnpc -e "letsencrypt https" -r 443 tcp
	# Acquire letsencrypt cert
	status "Requesting 4096 bit certificate for $ESXiHost"
	sudo certbot certonly --standalone --preferred-challenges tls-sni --agree-tos -m $Email -d $ESXiHost --rsa-key-size 4096
	# Backup existing SSL components on ESXi target
	status "Backing up existing certificates on $ESXiHost"
	time=$(date +%Y.%m.%d_%H:%M:%S)
	ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back.$time"
	ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back.$time"
	ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back.$time"
	# Copy letsencrypt cert to ESXi target
	status "Coping letsencrypt cert to $ESXiHost"
	sudo scp /etc/letsencrypt/live/$ESXiHost/fullchain.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/castore.pem
	sudo scp /etc/letsencrypt/live/$ESXiHost/cert.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.crt
	sudo scp /etc/letsencrypt/live/$ESXiHost/privkey.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.key
	# Restart services on ESXi target
	status "Restarting services on $ESXiHost"
	ssh $ESXiUser@$ESXiHost "services.sh restart"
	# Disable UPnP http(s) port forward
	status "Removing http(s) port forwarding"
	upnpc -d 80 tcp
	upnpc -d 443 tcp
	# Prompt user to confirm/disable SSH on ESXi target
	pressanykey "Remember to disable SSH service on $ESXiHost"

view raw letsencrypt_esxi.sh hosted with by GitHub

ESXi 更换 HTTPS 证书 by 桔子小窝 is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.